Enhance attack detection with 5 modern attack patterns
ATTACK DETECTION ENHANCEMENTS:
Added detection for critical modern attack vectors not in OWASP Top 10:
1. XXE (XML External Entity) Detection - detect_xxe()
- XML entity patterns (<!ENTITY, <!DOCTYPE)
- External entity references (SYSTEM, file://, php://, expect://)
- URL-encoded variants (%3c!entity)
- XML-specific patterns (jar:, .dtd)
- Threat Score: 18 (HIGH)
- Icon: 📄
2. SSRF (Server-Side Request Forgery) Detection - detect_ssrf()
- Internal network targeting (localhost, 127.0.0.1, 169.254.x.x)
- Private IP ranges (10.x.x.x, 192.168.x.x, 172.16-31.x.x)
- Cloud metadata endpoints (metadata.google, 169.254.169.254, metadata.aws)
- Protocol abuse (file://, gopher://, dict://, ftp://localhost)
- URL parameter patterns (url=http, redirect.*http, proxy.*http)
- Threat Score: 18 (HIGH)
- Icon: 🌐
3. NoSQL Injection Detection - detect_nosql_injection()
- MongoDB operators ($ne, $gt, $lt, $regex, $where, $in, $nin)
- URL-encoded variants (%24ne, %24gt, %24where)
- NoSQL-specific patterns (sleep(), this., function(), javascript:)
- Threat Score: 15 (HIGH)
- Icon: 🗄️
4. Template Injection (SSTI) Detection - detect_template_injection()
- Jinja2/Twig patterns ({{ }}, {% %})
- FreeMarker patterns (${ })
- JSP patterns (<% %>)
- URL-encoded variants (%7b%7b, %7b%25, %24%7b)
- SSTI probe patterns (7*7, config., self., request., env.)
- Threat Score: 20 (CRITICAL)
- Icon: 📝
- Color: White on Red (highest severity)
5. Encoding Bypass Detection - detect_encoding_bypass()
- Double/triple URL encoding (%25XX, %252X, %2525)
- WAF bypass attempts (%c0%af, %e0%80%af)
- Unicode/UTF-8 bypass (%uXXXX, \uXXXX)
- Threat Score: 12 (MEDIUM)
- Icon: 🔀
CHANGES TO lib/attack-patterns.sh:
- Added 5 new detection functions (lines 128-206)
- Updated detect_all_attacks() to call new detections (lines 222-226)
- Updated calculate_attack_score() with new scoring (lines 251-255)
- Added icons for new attack types (lines 273-277)
- Added color coding (CRITICAL/HIGH/MEDIUM) (lines 289-291)
- Exported all new functions (lines 303-307)
IMPACT:
- Detection coverage expanded from 7 to 12 attack types
- Now covers modern attack vectors (API attacks, cloud exploits, WAF bypasses)
- Better threat scoring with 3-tier severity (CRITICAL/HIGH/MEDIUM)
- Real-time detection in live-attack-monitor
- Historical detection in bot-analyzer
NEXT STEPS:
- Consider User-Agent rotation detection (bot fingerprinting)
- Consider Tor/VPN/Proxy detection (anonymizer identification)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
cschantz
12b013eae1